PolarSSL contains a flaw in the RSA-CRT implementation. The issue is due to a bias in the implementation of the Montgomery multiplication that exposes timing differences. This may allow an attacker to recover the RSA private key via a timing attack.